Bug#898943: Multiple vulnerabiliities in Mongoose
I'm already using mongoose 6.11 in the svn of SMPlayer. So far it seems to work fine for me. https://app.assembla.com/spaces/smplayer/subversion/commits/9030 2018-06-07 15:08 GMT+02:00 Reinhard Tartler : > On Thu, Jun 7, 2018 at 6:20 AM Mateusz Ĺukasik wrote: > >> This is not fixed for me. I made patch with add latest Mongoose version >> which included fixed for all of this cve's. >> It pushed now to salsa. >> >> -- > > Thank you! > > I see that you've added > https://salsa.debian.org/multimedia-team/smplayer/blob/master/debian/patches/03-update-mongoose-to-6.11.patch > - which is a pretty big patch. I wouldn't know how to test it (I don't > use that feature) or even verify that the patch work. Matteusz, can > you please elaborate how you verified the patch and how confident are > you that it doesn't introduce unwanted side-effects? > > Ricardo, would that patch be acceptable for upstream inclusion? - Your > opinion is highly valued and would be helpful in forming an opinion on > Mateusz' patch. > > Mateusz, I also see that you prepared a new upstream version. That's > great, in fact, I've also prepared it locally to see if the issue > happened to be fixed upstream, but determined mongosse was not updated > and concluded the problem still persists. I've therefore decided to > not upload the new upstream version and focus on the existing issues > instead. Hence, I've applied the patch to disable the build of > mongoose in the present package version. I see that you disabled it in > https://salsa.debian.org/multimedia-team/smplayer/commit/5d780999b6ee7a84d737fdb5dbc07ea9a25e4cde > (the commit message didn't help with finding that SHA1, I'd appreciate > more accurate messages in the future) - which is fine by me *if* we > are confident that the mongoose update actually fixes the problem (see > my question above). > > Also, did you verify that the new mongoose patch builds with GCC-8? My > patch to disable mongoose takes care of that as well, it would be a > shame to reintroduce #897863 again. > > -- > regards, > Reinhard -- RVM
Bug#898943: Multiple vulnerabiliities in Mongoose
I don't know yet. I guess I'll have to look for another simple web server. 2018-06-03 23:15 GMT+02:00 Reinhard Tartler : > Thanks for the tip, Ricardo! > > It appears that disabling that define still compiles (and installs) > the vulnerable program. I'll upload a new package that not only > disables that define, but also modifies the top-level Makefile to no > longer build and install mongoose: > > https://salsa.debian.org/multimedia-team/smplayer/blob/faf7f1d0a24377617b00e471edc69f9caa191f77/debian/patches/07-disable-chromecast.patch > > Let me know what you think and what do you intend to do upstream to > resolve this issue. > > Thanks, > Reinhard > On Sun, Jun 3, 2018 at 2:58 PM Ricardo Villalba > wrote: >> >> Hello. >> >> I wasn't aware of those vulnerabilities in mongoose. >> It's possible to disable the support for chromecast in smplayer >> commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro >> >> 2018-06-03 18:41 GMT+02:00 Reinhard Tartler : >> > Hi Richardo, >> > >> > I'm not sure if you have seen this email, Moritz from the debian >> > security team is reporting a release-critical bug in smplayer. More >> > specifically, smplayer appears to be using the mongoose webserver >> > implementation as in implementation detail of the chromecast >> > component. >> > >> > Having to remove smplayer would be most unfortunate. I checked the >> > upstream commits at >> > https://github.com/cesanta/mongoose/commits/master, but apparently >> > there is no fix available yet. Maybe I'm missing something but if not, >> > my question to you is whether we can easily disable the chromecast >> > component from the smplayer build? >> > >> > Please let me know your thoughts on this. >> > >> > Best, >> > Reinhard >> > >> > -- Forwarded message - >> > From: Moritz Muehlenhoff >> > Date: Thu, May 17, 2018 at 12:51 PM >> > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose >> > To: Debian Bug Tracking System >> > >> > >> > Source: smplayer >> > Severity: grave >> > Tags: security >> > >> > smplayer seems to embed Cesenta Mongoose: >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 >> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 >> > >> > Cheers, >> > Moritz >> > >> > ___ >> > pkg-multimedia-maintainers mailing list >> > pkg-multimedia-maintain...@alioth-lists.debian.net >> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers >> > >> > >> > -- >> > regards, >> > Reinhard >> >> >> >> -- >> RVM > > > > -- > regards, > Reinhard -- RVM
Bug#898943: Multiple vulnerabiliities in Mongoose
Hello. I wasn't aware of those vulnerabilities in mongoose. It's possible to disable the support for chromecast in smplayer commenting the line DEFINES += CHROMECAST_SUPPORT in src/smplayer.pro 2018-06-03 18:41 GMT+02:00 Reinhard Tartler : > Hi Richardo, > > I'm not sure if you have seen this email, Moritz from the debian > security team is reporting a release-critical bug in smplayer. More > specifically, smplayer appears to be using the mongoose webserver > implementation as in implementation detail of the chromecast > component. > > Having to remove smplayer would be most unfortunate. I checked the > upstream commits at > https://github.com/cesanta/mongoose/commits/master, but apparently > there is no fix available yet. Maybe I'm missing something but if not, > my question to you is whether we can easily disable the chromecast > component from the smplayer build? > > Please let me know your thoughts on this. > > Best, > Reinhard > > -- Forwarded message - > From: Moritz Muehlenhoff > Date: Thu, May 17, 2018 at 12:51 PM > Subject: Bug#898943: Multiple vulnerabiliities in Mongoose > To: Debian Bug Tracking System > > > Source: smplayer > Severity: grave > Tags: security > > smplayer seems to embed Cesenta Mongoose: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2891 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2892 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2893 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2894 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2895 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2909 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2921 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2922 > > Cheers, > Moritz > > ___ > pkg-multimedia-maintainers mailing list > pkg-multimedia-maintain...@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers > > > -- > regards, > Reinhard -- RVM